The user of a stand alone or networked computer system, both hereinafter collectively called an end user system, often has a need to import data or whole programs or parts of programs, hereinafter collectively and individually called program components, from an external source to enable the end user system to operate in a desired manner. The term program component is used herein to denote material which is interpreted by a computer system to operate the system in a specific manner, whereas data is the information material upon which the computer system acts under the direction of the program components.
Users, particularly banks and other financial institutions, need to be able to inspect incoming program components and data to ensure that they will not corrupt or otherwise adversely affect the data and operating programs held in their systems. This is particularly important where there area number of computer systems operating within a network and in which the network or computer systems within that network have a number of points at which access to external data and program sources can be made.
Where the system is a closed network and the data or program components are provided from other units within the same network, the user can satisfy himself that the data and program components do not contain material which could adversely interact with the data and programs held on his particular unit of the network. Such satisfaction will typically involve the inspection of the computer listings upon which the program is based to ensure that there are no errors or adverse components within the program. However, where the program or program component being imported is large and complex, such inspection and verification becomes excessively time consuming and expensive and therefore impractical.
Where the end user network or stand alone system is to receive data or program components from a source which is external to the network, for example from the Internet or an external data base, the risk of deliberate or accidental introduction of program components which can adversely interact with the data or programs already held in that end user system is increased. Since the external data source may be operating under one or more large and complex programs, which are themselves under continual updating and revision, it is effectively impossible to inspect each program and every modification of the program to ascertain that the end user system will not import adversely acting material.
There are a number of forms of program components which can cause corruption or damage to data or programs held in an end user system and/or can cause other deleterious effects when imported into the end user system. Such program components include those which are deliberately designed to corrupt the data or operating programs of the end user system; those which collect confidential data from the end user system and transmit that data to an external location without the end user being aware that such unauthorised transmission or theft of data is taking place; and programs which deny the user full and proper use of the end user system, for example by introducing repeating closed loop operations which consume the computing capacity of the end user system or deny access to areas of the end user system. Such program components are known as viruses, zappers, hostile Applets, Trojan Horses and service deniers and will be generically denoted as viruses hereinafter. A widespread concern is the deliberate distribution of such virus programs or program components into an end user system where they are executed and adversely interact with or cause disruption to the proper operation of the system. Whilst an end user can repeatedly inspect data and programs within a closed network to detect such viruses, the end user cannot inspect the external data or program source for such viruses and must accept the risk that any import of data or program components from an external source may import viruses into his system.
In order to reduce the risk of importing material from an external source which could adversely interact with an end user system, it is commonplace to screen all incoming data and programs or program components to identify the source of that material. Only material from specified sources is permitted access into the end user system. The end user can satisfy himself that such sources provide known quality of data and/or programs which have been inspected. Alternatively, the user can base his confidence in the source of material on its reputation for accuracy in compiling programs and for reducing the presence of possible adversely acting program components in any program components it makes available to end users. Such screens are known in the computer field as firewalls and act uni-directionally on a communications hardware level to allow incoming material to pass if it comes from a specified communication address or to destroy incoming material if it does not come from a specified source.
However, a firewall prevents access by the operator of an end user system to data and programs which are from non-specified sources. This restricts the freedom of the user to access alternative sources until they have been inspected and authorised. Furthermore, where the external source is operating under a large or complex program, such inspection is not practical and any authorization of access to that external source may destroy the integrity of the end user system.
These problems are aggravated where there are many points in the end user system from which external sources of data and programs can be accessed. It has been proposed to limit the number of such access points in an end user system and to ensure that all incoming material is fully screened at the permitted access points. However, this can lead to excessive bottle necks in the operation of the system and delays in accessing the external source from any given end user computer system in a network.
It is also common place to provide one or more virus detection programs within an end user system. These operate by recognising characteristic patterns in the virus program and destroying the virus program before it is executed within the end user system. The detection program may also recognise specific sites in an operating program to which a virus may attach and remain dormant until executed and thus detect when a virus is present by a change in such a site. However, this requires the detection program to recognise specific features or patterns and requires that the virus be imported into the end user system before it can be identified and neutralised. Furthermore, where the virus is one which is not recognised by the virus detection program, for example because it is a new virus or a mutation of an existing one, the virus may not be detected and may be executed within the end user system.
In many applications it is desirable to include program components within a stream of data from an external source to enable the end user system to handle that data effectively. For example, many data sources written in the JAVA language utilise mobile program components, or Applets, in the data stream transmitted to an end user system to enable the end user system to handle data more effectively, for example to create images upon the end user system video screen from data already held at the end user system. This avoids the need to transmit the data for each image from the external source and thus speeds up the operation of the end user system.
Such program components are termed mobile since they are intended to be imported into the end user system and to be executed within that system and to interact in a beneficial manner with the data and program components held at the end user system. It is therefore necessary that they should be accepted by the end user system. They therefore pass through any firewall and are not rejected or destroyed by a virus detection program. It has been proposed to sign and seal such program components cryptographically so as to identify the program component as coming from an authorised source, for example one where the components have been individually inspected. However, this requires the end user to place complete trust in the integrity and competence of the organisation cryptographically signing and sealing the program components they export.
Where the program or program component imported from the external source is large and complex and/or is constantly being updated, as is the case with network browser programs, it is not possible to provide a high level of confidence in such programs or program components. This may present an acceptable risk to the operator of the end user system when balanced against the advantages that the use of such program components gives.
However, it is possible that such mobile program components, whilst satisfying the authentification or identified source criteria, can be interpreted incorrectly in the end user system and/or can deliberately or accidentally interact adversely with the data and/or program components already held by the end user system. This raises a problem for the end user operator. On the one hand, the importation of the mobile program components is desirable for the proper operation of the end user system; but they can cause corruption of data and damage to the operating and other programs held by the end user system. The conventional firewall or virus detection programs cannot protect the end user system without preventing proper operation of the system.
The problem of deliberate or accidental errant interaction of desirable mobile program components from an external source has been recognised as a major problem by the computer industry, but no effective solution has yet been proposed.
We have now devised a method and apparatus by which an end user system can be protected from the errant effects of such otherwise desirable mobile program components imported from an external source.